Base weakness

Stable

CWE-476: NULL Pointer Dereference

Also known as: NPD, null deref, NPE, nil pointer dereference

The product dereferences a pointer that it expects to be valid but is NULL.

1,962

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-476 (NULL Pointer Dereference) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-41130 — C++ library for LLM inference has NULL pointer dereference if a read operation fails
CVE-2005-3274 — race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
CVE-2002-1912 — large number of packets leads to NULL dereference
CVE-2005-0772 — packet with invalid error status value triggers NULL dereference
CVE-2009-4895 — Chain: race condition for an argument value, possibly resulting in NULL dereference
CVE-2020-29652 — ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
CVE-2009-3547 — Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
CVE-2009-3620 — Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
CVE-2009-2698 — Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
CVE-2009-0949 — Chain: improper initialization of memory can lead to NULL dereference
CVE-2008-3597 — Chain: game server can access player data structures before initialization has happened leading to NULL dereference
CVE-2020-6078 — Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
CVE-2008-0062 — Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
CVE-2008-5183 — Chain: unchecked return value can lead to NULL dereference
CVE-2004-0079 — SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
CVE-2004-0365 — Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
CVE-2003-1013 — Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
CVE-2003-1000 — Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
CVE-2004-0389 — Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
CVE-2004-0119 — OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
CVE-2004-0458 — Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
CVE-2002-0401 — Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.
CVE-2001-1559 — Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).

CWE-476: NULL Pointer Dereference

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Dynamic Analysis

Manual Dynamic Analysis

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-476?

What CVEs are caused by CWE-476?

Is CWE-476 part of the OWASP Top 10?

How do you prevent CWE-476?

How is CWE-476 detected?

What are the consequences of CWE-476?

Is CWE-476 actively exploited?

References

Stay ahead of CWE-476

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Dynamic Analysis

Manual Dynamic Analysis

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-476?

What CVEs are caused by CWE-476?

Is CWE-476 part of the OWASP Top 10?

How do you prevent CWE-476?

How is CWE-476 detected?

What are the consequences of CWE-476?

Is CWE-476 actively exploited?

References

Stay ahead of CWE-476